Developers are not equipped to deal with exploiters

All I can really say to that is I think you’re reading in between the lines a little too much. I feel like I was pretty clear about this not being about the tech involved with security and exploits. The intent behind this post was to display the short comings of other aspects of customer service issues related to exploits.

Again I’m not trying to talk about the car, or what you can do to a car to make it safer. I’m trying to talk about the potholes in the road.

There are better and more visible places to discuss and share best practices for front-line combating exploits than replying to a thread about support systems and moderation.

In Jailbreak, we have a fairly broad set of game-specific cheat detection methods, and are coming up on our 200,000th unique ban within the past 2 years. >99% of these are confident auto-bans. These auto bans only occur after certain confidence thresholds – so I know there is a large % that we are missing. Most of them just create alternate accounts and do it again, rapidly hopping server to server.

It is a tough balance of time deciding whether to tackle patching various generic exploits vs. working on new content/features.

Agreed.

I believe the biggest issue when it comes to exploiters is the fact that they only need to spend 2 minutes of their life creating another account to use to exploit each time they get banned.

In a remote event, it returns the player object.
Couldn’t Roblox also return the file data of the localscript? If it doesn’t match up with the original file then it’s a modified or different localscript firing the remote.

Exploiting is holding the platform back more than anything else in my opinion.

Making a game with any competitive or pvp aspect is basically no longer viable without hiring an entire moderation team and having at least 1 developer dedicated to anti exploits, which at this point just gets you to the bare minimum.

Cheating is so rampant on the site, it feels like most younger players don’t even know its wrong.

Like @LMH_Hutch said, players are simply not discouraged to cheat. And if they do get caught, they can make a fresh account in seconds. It’s extremely discouraging towards creators.

We’ve had to delay major content updates for Jailbreak due to increases in exploits. Exploits are a serious impact to our gameplay allowing players to arrest others or complete robberies automatically. These players then leave, join a new server, and hit the next set of players or stores.

We’ve also had to disable core features of the game because of exploiting. Players are now limited to how much cash they can drop to other players. We’ve had to disable our safe gifting system too, due to exploiters donating safes to their main accounts for easy cash.

I was never fully aware of just how common exploiters are until I started tracking how many people we were banning in my game. In 2 months, we’ve banned over 50,000 exploiters.

And that’s for a non-competitive game. I wouldn’t even bother making a competitive game due to how relentless exploiters are these days.

Thank you for articulating what a lot of us have been struggling to deal with.

I spent more time than it was worth trying to make an automatic anti-cheat system and the trial and error got so bad I just ended up employing a dedicated mod member to run through a ticket system.

Edit: Moderating a player has little to no effect on the sustained amount of reports we get. It very much feels like a pointless battle to fight in.

Here’s a feature request that would go a long way to giving us the proper foundations to secure player movement, without having to radically throw away humanoids or physics or anything extreme like chickynoid does.

This is the one thing that always kept me from creating my own experiences. Just as @Intrance’s example shows - even in non-competitive games, people will still exploit to a degree that is just saddening. The worst part about it? There’s a whole section in the ToS that says that you’re not allowed to inject code into the client and Roblox does jack rabbit about it. This is outrageous! They either should allow white hacking on the site or enforce their ToS. The devs shouldn’t be the ones enforcing those rules in their stead.

A lot of people complain that exploits go rampant in their games, throw around the number of bans, however often they forget to mention the flaws or lack of security in their own code.
Some things I’ve seen certain front page games do:

• sending a number from the client and using it in the damage formula on the server without any verification
• not checking if a different player’s inventory item was passed to the equip remoteevent, allowing to steal items
• not checking if a reward was already claimed on the server, allowing to claim it infinitely
• having two damage remoteevents use the same server function and not checking cooldowns in one of them
• passing item quantity from the client in a buy/sell remoteevent and not checking for a negative quantity

Those were all present in a few former/current front page games. A few front page games had this kind of flaws. Now imagine if more were examined.
If you’ve heard of the R2DA case, exploiters were able to ban the creator himself from his own game. Do you think that’s a roblox issue? No! It was once again a flaw in a poor code. Having hwid/ip bans would not prevent that at all.
People need to realize that they have to consider security in every serious programming project, whether on roblox or not, instead of jumping on the bandwagon of “give us bans roblox, my game is exploited, look at my bans count” without realizing that it wouldn’t solve issues with their own code.

Also what I mentioned were flaws in code. Accidental ones for the most part. But there are also a lot of simple dedicated checks that some games could implement, and yet they still didn’t for some reason. This is mostly basic cooldowns, range checks, logic checks, etc.
Some people mentioned that creating such checks requires more people and effort. And yet a single The Wild West developer managed to create what’s probably the most innovative and sophisticated anticheat to have ever existed on roblox. Some of their solutions were on par with what roblox does internally. I have yet to see any other game do 1/4 of what they did. That’s the only kind of dev whose game truly deserves access to hwid & ip bans in my opinion.

I’m aware that there are also games which already tried and seemingly ran out of options so hwid/ip bans would help them. Of course I agree. However I feel like a lot of people only came here to vent about exploiters and blame it on roblox, often acting like they know better what kind of measures roblox takes to fight exploits, while they themselves don’t even try fixing flaws in their code or implementing basic checks.
I don’t want to point fingers but i.e. one reply here states that roblox doesn’t do anything at all to combat exploiters. Another reply describes how someone had to shutdown their game because they didn’t know how to save the ban in datastores, and that a tool like hwid/ip bans would’ve prevented that. No it wouldn’t. Yet another reply (whose author claims to be studying dll injection) complains about roblox being able to detect dlls yet being “lazy” about it. If you’re studying dll injection then you should also know that i.e. WinVerifyTrust can easily be hooked, and exploits already do that.

I think the conclusion is obvious.

I’ve responded to this kind of reply already but please remember that this isn’t a post about the tech involved with exploits and exploit prevention.

As the second paragraph of the OP states if you have useful advice to give consider making a dedicated tutorial post telling people what they can do better. Tagging on information about tech in a reply on a post about moderation and support isn’t helping anyone as much as it could.

The entire point of this thread is so people can share their experience with exploiting. Skill level does not matter nor does it invalidate peoples real world experience with this issue. Bringing awareness to the shortcomings of aspects not related to anti-cheats is the goal, not putiting people down for personal errors.

It’s not our job as developers to create solutions for every problem we encounter. Asking people to share their experiences is not about opening a forum for individual criticism, it’s about giving Roblox ammo to create features and improve the platform with. Please don’t discourage people from taking part in the process Roblox asks us to participate in.

Most experienced developers know about the common vulnerabilities you mentioned. This thread isn’t about that, and it’s not really the place to try and talk down to others.

It doesn’t matter how tight your game’s security is, Roblox is fundamentally easy to exploit on its most base levels. You can have the most secure RemoteEvents in the world, it won’t stop hackers from using character/physics exploits to break your game in other ways, and many of them are nigh impossible to detect.

This is unbelievable. Hackers have payed 2.7 million robux to access your game and be banned from it. Your game must be very desirable to exploit. I can’t imagine why anyone would create an alt, fund it then hack in a game they likely know they’ll be banned from. I guess as you have outlined the account isn’t moderated otherwise so they can use it for other games.

If there were official tools as you say, where an account could be detected and banned on a per game basis, maybe they could create policies where if an account is flagged a certain number of times, then it is terminated. The tools would have to be robust to prevent false positives. (or the threshold high enough) You don’t accidentally exploit(or get false positive flagged) in 20 games per month (for example).

Then the hacker takes a couple minutes and creates another alt, all these efforts gone to waste.

Anyway I hope this thread gets some visibility and action on the Roblox side of the house.

I fully agree with this post.

Speaking from experience here, I’ve only met two developers in my time on Roblox who were able to create solid anti-exploit systems. One who was well accustomed to cyber security, and the other was just a really talented programmer. But their methodologies required a lot of trial and error with some pretty sophisticated algorithms (which even the most decent developer wouldn’t be able to figure out on their first try). What didn’t make it easy for them is the pitifully barren toolset Roblox had. It’s ridiculous how easy it is for exploiters and script kids to absolutely decimate an entire game, while it’s depressingly difficult for developers to find any ways to counter them. Take a very recent example w/ Blood & Iron. That game is seeing consistent crashing on the board. And I can’t imagine how the developers are trying to handle it.

And this isn’t accounting the fact that it’s easy to just simply make a new account, and continue the cycle. I don’t know if this would be feasible, but it would be extremely useful if we had a tool that would allow us to ban the IP address of someone within the game. Obviously the IP will be obfuscated because of how abusive it could be, but some form of solution beyond banning a user would be great.

Point is: we really need better tools for finding and preventing these vulnerabilities. It’s getting increasingly difficult to justify any of this, especially with Roblox going public.

This point cannot be emphasized enough. Exploiting is rampant, and it frequently ruins experiences for the average player. This is not a fringe issue.

I hope that Roblox will recognize the true scope of this problem and work with developers to mitigate it.

That’s not even really the worst of it. I used to be involved with the community behind the main script for Blood & Iron(although I was never a cheater myself, just kinda affiliated with the developer of it), and the features in the cheat were enough to ruin an entire match without even crashing it.
Here’s just a short list of things that were at least once possible to be done by this community in Blood & Iron:

1. invincibility
2. KillAura(anything you touch or even grace dies instantly)
3. Infinite ammo
4. Bhop
5. Ability to change certain particles with whatever decal you please, changing for all players

It just feels like this all could’ve been avoided had Roblox done anything to help developers against exploits. The person behind this specific script I mentioned is also selling it for profit, with more buyers than you could imagine. The total member count of their multiple deleted Discord servers totals about 1,000. It’s crazy how Roblox’s lack of anything against exploits allows for people to make tiny businesses entirely based off scripts which require said exploits to work. It’s also crazy how scripters on Roblox are more likely to profit from developing cheats than they would from developing their own games

TL;DR: If Roblox could just ban exploiters on exploit injection for a day, the damage done to paid scripts and exploits themselves would be massive. Roblox continously tells game developers that it is their role to secure their own games, despite giving them nothing in regards to stopping exploits. Roblox only ever cared about preventing exploits when it harmed their image, but since filtering enabled was forced in around 2017, they have no longer cared.

That sounds more like a game-specific issue that could be fixed with a server-side ammo counter imo.

I’m just going to say, you (not directed to who I am quoting) can’t entirely blame Roblox for not fixing an exploit when it is entirely in your power to do so. I am not saying that everything brought up in this thread is pure laziness. But I’ll also say that sometimes, Roblox does things that prevent exploits from working for almost a week. I’ve been around the exploiting community, and apparently all injectors were patched for 4 days because of a change in Roblox’s engine called “inlining”. It isn’t true Roblox hasn’t done anything since FE was forced.

The point of my reply is to simply show that people expect roblox to give them a magic tool which will solve all their problems with exploits, and such doesn’t exist. There isn’t a better way to convey it.

I agree that roblox could provide more tools to us developers to combat this. However it’s also important to think what kind of tools would help you with your specific case? And most importantly do they exist at all?

Imagine your game has a similar issue as the person 2 replies above: killaura, infinite ammo, changing decals for all players. What tools would you like roblox to give you to prevent that?
In my opinion the answer is: none… You can have the best tools available, but they will be no use if you don’t consider your game’s security yourself and don’t make use of them!

As the person above me said, this type of issues is game-specific and can be fixed easily without extra tools.

And that brings us to the following reply to my earlier post by the OP:

Let me ask this: what kind of “ammo” are we giving roblox with a bunch of vent posts where most of the time the issues are game-specific? What features should they create out of this?

And please don’t mention “sharing experience” and “bringing awareness”. They’re already aware of exploiting as an issue, and they constantly try to solve it (you might’ve noticed that i.e. even legitimate players were getting “unexpected client behavior” tempbans recently), and if they’ll take anything out of all the testimonials then it will likely be that they need to fully focus on the internal detections and not on giving developers more tools, due to what I said earlier.

As an experienced white hat, who has experience in dealing with developers and the vulnerabilities their games posess, one thing that sticks with me is that it seems there is never a single way to prevent specific exploits from being used.

I’ve helped various high and low profile games over the past 2 years now, and whenever I fix something, my clients tend to come back to me a few weeks later saying the issue they were having before has returned again.

What do you think this means?
It’s simple.

Whatever fix I had in place had been BYPASSED by some more savvy exploiter(s).

This wouldn’t be an issue if Roblox actually took action against script sharing sites like V3rmillion and RobloxScripts and YouTube channels that spread exploit scripts to the more skiddier kinds of exploiters.

Half the time, they obfuscate their scripts and hand out loadstrings to them, making my reverse engineering attempts near enough useless.

What makes it more damaging to Roblox is, a lot of these exploits are using Luau’s own compiler to run scripts nowadays, as it’s a lot faster for them to do so.

Also, just look at the synapse developer’s Roblox profile, 3dsboy08, how he is not poison banned by now?
I have no clue.

DLL injection is easy to prevent, they just cannot be bothered enough to do it, or are edging towards being against it.

I saw a thread on the devforums by @jasonfish4 about it from a few years back, but he was shutdown by admins with invalid arguments like “it’s false positive prone” and “it’s nearly impossible”.

So let me give you a rundown;

1. We now have exploits using Luau source to run exploit scripts

2. Roblox is not taking enough legal action against script sharing sites (such as V3rm and RobloxScripts) and exploiting youtubers (such as Sir Meme, TypicalModders, and Citizen)

3. Roblox is not taking enough legal action against exploit developers

4. Roblox is not doing enough to prevent third party DLL injection

5. Roblox does not provide enough remediation services for developers, and existing services are lacking

6. Roblox is not cracking down on client security enough in general